"""
Rate limiting utility for authentication endpoints.
Provides a global limiter instance that can be imported by blueprints.

Rate limits are configurable via UI settings (security.rate_limit_*) and
stored in server_config.json. Changes require server restart to take effect.

Note: This is designed for single-instance local deployments. For multi-worker
production deployments, configure Redis storage via RATELIMIT_STORAGE_URL.
"""

from flask import request
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

from ...settings.env_registry import is_rate_limiting_enabled
from ..server_config import load_server_config

# Load rate limits from server config (UI-configurable)
# Multiple limits can be separated by semicolons (e.g., "5000 per hour;50000 per day")
_config = load_server_config()
DEFAULT_RATE_LIMIT = _config["rate_limit_default"]
LOGIN_RATE_LIMIT = _config["rate_limit_login"]
REGISTRATION_RATE_LIMIT = _config["rate_limit_registration"]


def get_client_ip():
    """
    Get the real client IP address, respecting X-Forwarded-For headers.

    This is important for deployments behind proxies/load balancers.
    Falls back to direct remote address if no forwarded headers present.
    """
    # Check X-Forwarded-For header (set by proxies/load balancers)
    forwarded_for = request.environ.get("HTTP_X_FORWARDED_FOR")
    if forwarded_for:
        # Take the first IP in the chain (client IP)
        return forwarded_for.split(",")[0].strip()

    # Check X-Real-IP header (alternative proxy header)
    real_ip = request.environ.get("HTTP_X_REAL_IP")
    if real_ip:
        return real_ip.strip()

    # Fallback to direct remote address
    return get_remote_address()


# Global limiter instance - will be initialized in app_factory
# Rate limiting is disabled in CI unless ENABLE_RATE_LIMITING=true
# This allows the rate limiting test to run with rate limiting enabled
#
# Note: In-memory storage is used by default, which is suitable for single-instance
# deployments. For multi-instance production deployments behind a load balancer,
# configure Redis storage via RATELIMIT_STORAGE_URL environment variable:
#   export RATELIMIT_STORAGE_URL="redis://localhost:6379"
limiter = Limiter(
    key_func=get_client_ip,
    default_limits=[DEFAULT_RATE_LIMIT],
    storage_uri="memory://",
    headers_enabled=True,
    enabled=is_rate_limiting_enabled,
)


# Shared rate limit decorators for authentication endpoints
# These can be imported and used directly on routes
login_limit = limiter.shared_limit(
    LOGIN_RATE_LIMIT,
    scope="login",
)

registration_limit = limiter.shared_limit(
    REGISTRATION_RATE_LIMIT,
    scope="registration",
)
